Does anyone know how the "Blacklist IP Now" feature in Connection Events should work. It seems to add the IP address to the "Global Blacklist" but I still see future connections from that IP being allowed.
In the image below, 220.127.116.11 has been blacklisted.
You can Blacklist a Destination IP address (Responder IP) by doing a right-click on the specific IP > Blacklist IP Now.
see helpful link:
You can verify the added Blacklist IP by going again to Objects > Security Intelligence > Network Lists and Feed > Global-Blacklist > edit (pencil icon).
What I am trying to do is Blacklist the Initiator IP.
The FMC will allow me to select the initiator address and select Blacklist Now and it indeed gets successfully added to the Global Blacklist but future connections from that blacklisted address are still allowed based on the Connection Events log